Posts

Upload Users to IFS

After your AD FS configuration, you will need to load users into IFS from LDAP. There is an option to search for each user and add them manually, but if you have a large group of Lawson users this can be time consuming. IFS also offers a mass upload using a CSV file. The CSV file needs to have a header, and the only value required is the samAccountName.

Create your CSV file, then go into Manage > Users in IFS. Click “Upload” and browse to your CSV file. Click Open and the users will be added into IFS.

Using IPA to Update SSOP Identity after AD FS Configuration

Once your AD FS configuration is done, you’ll need to update the SSOP identity with userPrincipalName for all of your users in Lawson Security.  IPA is a great tool for this task.

Some nodes that you’ll need include:

  • System Command – get AD users
    • Run a powershell command to get the samAccountName and userPrincipalName from Active Directory
    • powershell “Get-ADUser -Filter * -SearchBase ‘<OU Path (i.e. OU=Users,DC=company,DC=org)>’ | Select-object SamAccountName,UserPrincipalName | ConvertTo-Csv -NoTypeInformation”
  • Data Iterator to iterate through the results from the AD query
  • Resource Query
    • Get User by querying on SSOP value
    • <?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?><TRANSACTION user=”user@company.org” method=”getRMQuery”><SERVICE><![CDATA[SSOP]]></SERVICE><SERVICEATTRS><SERVICEATTR><NAME><![CDATA[USER]]></NAME><VALUE><![CDATA[<!samAccountName>]]></VALUE></SERVICEATTR></SERVICEATTRS><OBJECT><![CDATA[People]]></OBJECT><ATTRIBUTES><ATTRIBUTE><![CDATA[ID]]></ATTRIBUTE></ATTRIBUTES><OUTPUTSERVICEATTRS/></TRANSACTION>
  • Resource Update
    • Using the ID from your Resource Query, Update the SSOP service

Troubleshoot NoClassDefFoundError (bouncycastle.x509)

After configuring LSF for AD FS, we encountered a 500 error after a login smoke test. The error was begin logged in SystemOut.log for our AppServer. The error message was:

[4/30/19 14:31:41:287 PDT] 000000e9 ServletWrappe E com.ibm.ws.webcontainer.servlet.ServletWrapper service Uncaught service() exception thrown by servlet SSOServlet: java.lang.NoClassDefFoundError: org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure

To troubleshoot this, we first regenerated and reloaded the ADFS Certificate to the LSF IdP Certificate in ssoconfig. This did not resolve the issue, so then we checked the java policy files. It turns out that the policy files were out-of-date. You need to update the policy files in JAVA_HOME and WebSphere. First, download the latest policy files from Oracle and IBM, and the BouncyCastle policy file from the BouncyCastle website.

To determine the directories which need the replacement files, first open a command line as administrator and type “where java”. This will show you where your main install of java is located. Go to this directory, then jre/lib/security and replace local_policy.jar and US_export_policy.jar. The BouncyCastle jar file will be located at jre/lib/ext. Matching files must also be stored in your WebSphere java home. To figure out where this directory structure will be, open SystemOut.log and scan for the last time the AppServer was started.  “Java Home” will be displayed there. The directory structure will be the same as your main java install.

Remember to backup/rename your old policy files and copy the new ones to these directories. You’ll have to stop your WebSphere services and kill all java processes before you can do this.